All of lore.kernel.org
 help / color / mirror / Atom feed
* CVE-2022-24975
@ 2022-06-01 20:55 Mark Esler
  2022-06-01 21:12 ` CVE-2022-24975 Junio C Hamano
  0 siblings, 1 reply; 4+ messages in thread
From: Mark Esler @ 2022-06-01 20:55 UTC (permalink / raw)
  To: git

Hello,

Could the git developers state their position on CVE-2022-24975? Is it
disputed or will it be addressed by upstream?

As I read the documentation, --mirror is working as stated and MITRE
should remove the CVE.

Thank you,
Mark Esler

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: CVE-2022-24975
  2022-06-01 20:55 CVE-2022-24975 Mark Esler
@ 2022-06-01 21:12 ` Junio C Hamano
  2022-06-01 21:40   ` CVE-2022-24975 Mark Esler
  2022-06-06 15:11   ` CVE-2022-24975 Dyer, Edwin
  0 siblings, 2 replies; 4+ messages in thread
From: Junio C Hamano @ 2022-06-01 21:12 UTC (permalink / raw)
  To: Mark Esler; +Cc: git

Mark Esler <mark.esler@canonical.com> writes:

> Hello,
>
> Could the git developers state their position on CVE-2022-24975? Is it
> disputed or will it be addressed by upstream?
>
> As I read the documentation, --mirror is working as stated and MITRE
> should remove the CVE.
>
> Thank you,
> Mark Esler

It took me a while to Google for "gitbleed" as I got tons of GI
bleed but no Gitbleed, so a quick conclusion is there is no such
credible thing called gitbleed ;-)

Jokes aside (yes, I know about [*]).

As you said, "A repository can have more than what branch heads and
tags can reach, and the --mirror option is a way to copy all the
things that are reachable from other refs.  It is 100% working as
intended."

During the discussion about [*] on git-security@ mailing lsit,
everybody said that it is dubious that CVE is warranted.  I am not
sure there is anything more for us to do.


[Reference]

* https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/

  the author of which asked git-security@ list and after getting
  things explained, accepted that this is a "working as intended"
  functionality and promised to adjust the blog post entry not to
  imply that the entire repository can be copied.  I do not know how
  much correction was actually made since then, though.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: CVE-2022-24975
  2022-06-01 21:12 ` CVE-2022-24975 Junio C Hamano
@ 2022-06-01 21:40   ` Mark Esler
  2022-06-06 15:11   ` CVE-2022-24975 Dyer, Edwin
  1 sibling, 0 replies; 4+ messages in thread
From: Mark Esler @ 2022-06-01 21:40 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: git

Thanks Junio!

^ permalink raw reply	[flat|nested] 4+ messages in thread
* RE: CVE-2022-24975
  2022-06-01 21:12 ` CVE-2022-24975 Junio C Hamano
  2022-06-01 21:40   ` CVE-2022-24975 Mark Esler
@ 2022-06-06 15:11   ` Dyer, Edwin
  1 sibling, 0 replies; 4+ messages in thread
From: Dyer, Edwin @ 2022-06-06 15:11 UTC (permalink / raw)
  To: Junio C Hamano, Mark Esler; +Cc: git

Greetings:

If it helps, Qualys isn't flagging this CVE as we use Git in several versions. I checked our main Git box and nary a flag for it.

Ed Dyer
DevOps Engineer

Malum Consilium Quod Mutari Non Potest

-----Original Message-----
From: Junio C Hamano <gitster@pobox.com> 
Sent: Wednesday, June 1, 2022 5:13 PM
To: Mark Esler <mark.esler@canonical.com>
Cc: git@vger.kernel.org
Subject: Re: CVE-2022-24975

[EXTERNAL EMAIL] – Think Security!

Mark Esler <mark.esler@canonical.com> writes:

> Hello,
>
> Could the git developers state their position on CVE-2022-24975? Is it 
> disputed or will it be addressed by upstream?
>
> As I read the documentation, --mirror is working as stated and MITRE 
> should remove the CVE.
>
> Thank you,
> Mark Esler

It took me a while to Google for "gitbleed" as I got tons of GI bleed but no Gitbleed, so a quick conclusion is there is no such credible thing called gitbleed ;-)

Jokes aside (yes, I know about [*]).

As you said, "A repository can have more than what branch heads and tags can reach, and the --mirror option is a way to copy all the things that are reachable from other refs.  It is 100% working as intended."

During the discussion about [*] on git-security@ mailing lsit, everybody said that it is dubious that CVE is warranted.  I am not sure there is anything more for us to do.


[Reference]

* https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/

  the author of which asked git-security@ list and after getting
  things explained, accepted that this is a "working as intended"
  functionality and promised to adjust the blog post entry not to
  imply that the entire repository can be copied.  I do not know how
  much correction was actually made since then, though.

______________________________________________________________________
The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
______________________________________________________________________

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-06-06 15:11 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-01 20:55 CVE-2022-24975 Mark Esler
2022-06-01 21:12 ` CVE-2022-24975 Junio C Hamano
2022-06-01 21:40   ` CVE-2022-24975 Mark Esler
2022-06-06 15:11   ` CVE-2022-24975 Dyer, Edwin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.